Cybersecurity: an Effective Password is the First Rule, but Too many Still Ignore It
It seems incredible that in 2025 weak, even extremely weak passwords are still being used, like “123456”, and it’s even more incredible that this was done by an artificial intelligence platform used for hiring employees of a well-known multinational.
The “company in question is McDonald’s and the platform in question is called McHire, developed by the artificial intelligence company Paradox.ai and was used for” job applications to work in the US franchise.
The news is that to access and apply, it appears it was sufficient to enter the credentials “123456” as username and password.
Two researchers, Ian Carrol and Sam Curry, discovered that the data of 64 million people were easily accessible to anyone.
Carroll explains that he noticed this “disturbing flaw because he was curious about McDonald” s’ decision to subject candidates to an AI chatbot evaluation and personality test.
“I thought,” he said, “that compared to a normal hiring process, it was quite a dystopian choice. And that’s what made me want to investigate further. So I started applying for a job and after 30 minutes I had access to practically every application submitted to McDonald’s over years and years.”
Although the access led to a panel with Paradox.ai employee data for a “test” restaurant that wasn’t real, the researchers were able to view chatbot conversations with other candidates.
From there, they were able to identify “another vulnerability through an” API (Application Programming Interface, a protocol that allows two different computer services to communicate with each other), which allowed the two researchers to also discover unencrypted candidate data: first name, last name, phone number, residential address, email, and so on.
Personal and sensitive data multiplied by 64 million, everyone who had accessed the platform. A very rich and easy prize for any malicious actors.
The problem was immediately reported to McDonald’s and Paradox.ai on the same day it was discovered, last June 30. Shortly after, the “123456” credentials were eliminated and by July 7, all issues were resolved according to the AI company.
In a statement to Wired, McDonald “s stated”: “We are disappointed by this unacceptable vulnerability from a third-party vendor, Paradox.ai. As soon as we became aware of it, we directed the” company to remedy it immediately and the issue was resolved the same day it was reported to us.
Paradox.ai, for its part, tried to minimize the damage while not hiding its responsibilities.
According to the company’s internal investigations, the test panel accessed by the two researchers hadn’t been used since 2019 and yes, it should have been deactivated, but no one besides the researchers had ever used it. Following the incident, a bug bounty program was also launched, an initiative that financially rewards researchers like Carroll and Curry who identify security flaws and then share them with the company itself.
But this McDonald’s case is just the latest in a series of similar incidents.
For example, among the most striking cases was that of the US Department of Interior, where in 2023, following an internal investigation, it was discovered that the most commonly used password in the offices was “Password-1234“, which allowed the accounts of 14,000 employees to be compromised in just 90 minutes.
Or the demonstrative act from a few years ago that allowed hackers to breach a oil tanker navigating in the Adriatic Sea in just 10 minutes because it protected its systems with the password “1234”.
The “list could go on, but these few examples are sufficient to reiterate that, despite all the cybersecurity campaigns, there” is still much unawareness and carelessness globally in how we use the network. And the responsibility, in the end, always falls on the human factor which often underestimates basic protection principles due to carelessness.
In the cases listed in this article, we’re talking about the first security rule: choosing an effective password and changing it frequently. Not following this rule shows not only carelessness but also a poor, if not extremely poor, awareness of network risks, therefore a digital posture that’s certainly not adequate for the times we live in.
Today, defense techniques must pass not only through technology but also through the development of a true cybersecurity culture that must become an integral part of our private and professional lives.
In short, proper digital posture should increasingly become an inherent element in every individual, acquired from a young age.
This is why it would be important to teach it in schools, and maybe we’ll get there in the not-too-distant future. Meanwhile, since we can no longer afford to fall behind or lag behind technology that moves so quickly, it’s necessary to follow excellent training paths that are continuously updated on the latest criminal developments and include practical exercises and personalized training.
Considering that the human factor remains the most vulnerable, training, the right kind of training, remains the only way to protect ourselves, both in private and professional life.
